What is external code execution in the `insecure-external-code-execution` option on Dependabot? #58657

yykamei · 2023-06-21T14:32:08Z

yykamei
Jun 21, 2023

Select Topic Area

Question

Body

In some package-ecosystem, we have to configure registries as well as insecure-external-code-execution to allow in order to let Dependabot access the private registries. If the two configurations are properly set, the document says like this:

external code execution that occurs will only have access to the package managers in the registries associated with that updates setting.

I'm curious what is external code execution in this explanation. I created a Ruby Gem that triggers an HTTP request when it's installed (the code is here), but it looks like not being prevented from accessing an external server. Even though I set insecure-external-code-execution to deny, Dependabot seemed to provoke an HTTP request; I expected Dependabot would fail. I wonder what is external code execution. What's the purpose of insecure-external-code-execution?

Thanks,

Answered by joevin-slq-docto

Feb 8, 2024

@bogn83 @yykamei you can understand why unexpected_external_code can be raised by reading this:

View full answer

yykamei · 2023-06-22T23:56:51Z

yykamei Jun 22, 2023
Author

Thank you! Do you know what is "external code execution"? I tried this code in my Ruby Gem to perform "external code execution", and it ran successfully even though insecure-external-code-execution is configured as deny. Isn't this an "external code execution"?

bogn83 · 2023-06-29T12:03:16Z

bogn83
Jun 29, 2023

We are also puzzled about the actual effects and concrete risks to e.g. GITHUB_TOKEN of the repo that dependabot is running for.

Here are the concrete questions:

Is GITHUB_TOKEN of the current repository also part of those stealable credentials OR STRICTLY ONLY what was entered with the Dependabot secrets UI?
How are the secrets injected into dependabot, can an attackers simply enumerate them or do they need to know the name of the secret?

0 replies

joevin-slq-docto · 2024-02-08T09:31:38Z

joevin-slq-docto
Feb 8, 2024

@bogn83 @yykamei you can understand why unexpected_external_code can be raised by reading this:

1 reply

yykamei Feb 9, 2024
Author

Thank you. This is very helpful.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

What is external code execution in the `insecure-external-code-execution` option on Dependabot? #58657

{{title}}

Replies: 3 comments 2 replies

This comment was marked as off-topic.

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

GitHub Community

What is external code execution in the insecure-external-code-execution option on Dependabot? #58657

yykamei Jun 21, 2023

Select Topic Area

Body

Replies: 3 comments · 2 replies

This comment was marked as off-topic.

yykamei Jun 22, 2023 Author

bogn83 Jun 29, 2023

joevin-slq-docto Feb 8, 2024

yykamei Feb 9, 2024 Author

What is external code execution in the `insecure-external-code-execution` option on Dependabot? #58657

yykamei
Jun 21, 2023

Replies: 3 comments 2 replies

yykamei Jun 22, 2023
Author

bogn83
Jun 29, 2023

joevin-slq-docto
Feb 8, 2024

yykamei Feb 9, 2024
Author